Hi, I'm a normal user and don't run any websites. But since the expiration, I'm unable to access any sites using Chrome and get a " Your connection is not private" error for virtually every site I try to access. Any idea how I can resolve this issue? I use a Mac laptop, OSX El Capitan, 10.11.6. Any…

Interesting. Searching quickly on Google I found this problem open on GitHub from LibreSSL. Maybe there's a connection? The scenario reported in the problem is the same, unable to validate an alternative chain after the expiration of the root certificate. AddTrust …

I wonder if Apple would be willing to ship an OS update that changes this behavior. It would be great for site operators not to have to choose between losing compatibility with (some versions of) macOS and losing compatibility with (some versions of) Android.

I wonder how intentional this divergence from OpenSSL is. There’s an argument to make that the verification logic should verify the very chain I give it, and nothing else. It was news to me today that it’s apparently OK for TLS clients to validate against an expired root. If that’s the case then I …

I think it's been a contentious issue. Here's a take from Ryan Sleevi from last year: [image] Path Building vs Path Verifying: The Chain of Pain Disclaimer: This post represents personal opinions and thoughts, and does not represent the views or positions of my employer, Google. …

[image] FGasper: I wonder why roots have expiry dates at all. To let you know when to remove them from the non-expiring zone - LOL

The multiple-paths thing is familiar enough, but it was news to me today that a trust anchor is legitimate without an expiry date, even if its expression as a certificate contains a notAfter date (that isn’t freakishly far into the future, that is).

[image] Nummer378: Your device appears to be older than that, so it doesn't trust ISRG Root X1. This is causing the errors you're now seeing. Thanks for this! I run some buildbots deliberately using older macOS and their git and svn have been unable to pull new code since yesterday. What wo…

So adding "ISRG Root X1" fixed macOS 10.10 and 10.11, but macOS 10.12 and later already include "ISRG Root X1" by default, yet some versions are giving me trouble, others not. I think it may depend on OpenSSL/LibreSSL versions. I made a little table: macOS OpenSSL version 10.10.5 OpenSSL 0.9.8z…

FYI - more information on LibreSSL . The latest stable release is 3.3.4

Connection Errors on Apple Devices

Help

seanm October 1, 2021, 2:50pm 24

Very unlikely. They don't even provide security updates for older hardware that can't run their newest OS.

Site operators have another choice: don't use Let's Encrypt.

Topic		Replies	Views
Certificates are not trusted on Chrome and Safari on old iMac with El Capitan Help	53	34374	November 10, 2021
Chrome & Safari - Your connection is not private ERROR Help	39	5094	November 6, 2021
OS X 10.11 - Clients not connecting to site with Let's Encrypt certificates Help	16	31953	November 5, 2021
I have IdenTrust 1 and my Mac OSX is still screwed Help	8	1374	November 6, 2021
Renewal issue mac osx https Help	42	4172	November 15, 2021

Connection Errors on Apple Devices

Related topics